A threat actor suspected to have ties with the Iranian state-sponsored threat group MuddyWater recently conducted an attack that used Chaos ransomware as a “false flag” to obscure its true motives,
Rapid7 reported Wednesday.
Rapid7 researchers investigated the attack in early 2026, finding that despite ransom demands and the apparent publication of victim data to the Chaos ransomware leak site, no files were encrypted and the attacker used certificates and infrastructure tied to MuddyWater.
“What stands out is the mismatch between the Chaos branding and the intrusion behavior: extortion and publication occurred, but the operation lacked a typical encryption phase and showed stronger signs of access, credential theft, persistence, and intelligence collection,” Rapid7 Vice President of Cyber Intelligence Christiaan Beek told SC Media.
Chaos is a ransomware-as-a-service (RaaS) operation that has been active since February 2025 and mostly targets large organizations in the United States. Typical Chaos ransomware attacks involve double extortion, including both exfiltration and encryption of victim files.
MuddyWater, also known as Seedworm, is an Iranian advanced persistent threat (APT) group linked to Iran’s Ministry of Intelligence and Security (MOIS). The group has
historically targeted government and critical infrastructure organizations in the Middle East with the goal of long-term espionage and has also conducted similar attacks against U.S. and
European organizations.
Microsoft Teams social engineering enabled credential theft
Earlier this year, the advanced persistent threat group (APT) infiltrated the networks of
multiple U.S. companies including financial institutions, an airport and a defense and aerospace supplier.
The recent intrusion investigated by Rapid7 began with social engineering via Microsoft Teams, where employees were convinced to share their screen, enter their credentials into text files and, in some cases, submit their credentials through a phishing link. Some employees were also made to add attacker-controlled devices to their multi-factor authentication (MFA) settings.
The attackers used the stolen credentials to gain access to internal systems and establish persistence via remote desktop protocol (RDP) sessions and use of the remote management tool DWAgent, Rapid7 said. RDP sessions were also leveraged to achieve lateral movement between systems. A curl command was used to install a downloader called “ms_upd.exe,” which contacted the command-and-control (C2) domain “moonzonet[.]com” and installed additional payloads including a custom backdoor called “Game.exe.”
Game.exe is a trojanized version of the legitimate Microsoft WebView2 application, and performs a range of anti-analysis checks before connecting to the C2 domain “uploadfiler[.]com.” The malware sends victim host information to the C2 and then infinitely polls the server for incoming commands every 60 seconds.
Espionage, persistence and extortion blurred the attack’s true motive
The backdoor supports the execution of commands via cmd.exe or PowerShell, writing of base64-encoded files, deleting of files and starting and stopping of interactive shells. Rapid7 said that while it discovered Chaos ransomware artifacts in its investigation, no files were encrypted, nor was a ransom note found on the affected systems. Overall, the attack chain was noted to be inconsistent with typical ransomware behavior.
The attacker later emailed employees and attempted to initiate ransom negotiations for the allegedly stolen data. Rapid7 did not find any sign of the note containing “access credentials” referenced by the attacker on the affected systems, however, data was subsequently published on the data leak site and confirmed to be legitimate by the victim organization.
Rapid7 attributed the attack to MuddyWater with moderate confidence based on evidence that included a code-signing certificate and C2 domain known to be used by the group. The ms_upd.exe downloader was signed using a certificate under the name “Donald Gay,” which has previously been used by MuddyWater to sign its Stagecomp downloader.
Additionally, the “moonzonet[.]” C2 domain used by the downloader was also used in MuddyWater attacks targeting Israeli and Western organizations in early 2026. Additional supporting evidence includes the use of pythonw.exe to inject code into suspended processes and the use of interactive Microsoft Teams social engineering to harvest credentials, both consistent with MuddyWater’s tradecraft, according to Rapid7.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI) and Department of Defense Cyber Crime Center (DC3)
previously issued a joint advisory in 2024 warning that Iran state-sponsored attackers were collaborating with ransomware groups, namely members of the Iranian APT known as Pioneer Kitten. In some cases these attackers would conceal their Iranian affiliation from RaaS operators while leveraging extracted data for espionage purposes, officials said.
While Rapid7 concluded the use of Chaos ransomware branding was likely an attempt to complicate attribution, and possibly delay the discovery of persistence mechanisms, Beek told SC Media that direct collaboration with a ransomware actor could not be ruled out.
“The 2024 CISA/FBI/DC3 advisory established precedent for Iran-based actors enabling ransomware activity while also conducting espionage-aligned operations. This case could fit several models: a state-linked actor using Chaos as cover, a state-linked actor collaborating with or leveraging a ransomware affiliate, or an operator using criminal monetization alongside tasking that serves state objectives,” Beek said.
